ARP
De Guifi.net - Wiki Català
|
25px
Aquesta wiki forma part dels materials d'un curs
| |
|---|---|
| Curs: | |
| Fitxers: | XarxesEthernetProtocolARP.pdf |
| Repositori SVN: | https://svn.projectes.lafarga.cat/svn/iceupc/LinuxAdministracioAvan%c3%a7ada/moodle/sessio2/transparencies/ |
| Usuari: | anonymous |
| Paraula de pas: | sense paraula de pas |
| Autors: | Sergi Tur Badenas |
Contingut
ARP
Consulteu arp de l'article Xarxes Linux.
Comanda arp
Permet gestionar la cache ARP
Per consultar la cache:
$ arp -n Address HWtype HWaddress Flags Mask Iface 192.168.1.1 ether 00:15:E9:CA:34:A5 C eth0 192.168.1.3 ether 00:18:F3:FB:FC:4A C eth0 192.168.1.6 ether 00:0E:35:29:2A:48 C eth0
Eliminar entrades de la cache:
$ sudo arp -d 192.168.1.1 $ sudo arp -d 192.168.1.3 $ sudo arp -d 192.168.1.6
Consulteu la cache amb:
$ arp -n
I veurem que la hem buidat...
Si fem un ping a les m
$ ping 192.168.1.1 $ ping 192.168.1.3 $ ping 192.168.1.6
Afegir una entrada estàtica a la taula ARP
Es poden afegir entrades estàtiques amb:
$ sudo arp -s IP MAC
Per exemple:
$ sudo arp -s 87.111.152.1 00:14:1c:32:af:1a
Podeu consultar la entrada amb:
Abans:
$ arp -n Address HWtype HWaddress Flags Mask Iface 87.111.152.1 ether 00:14:1c:32:af:1a CM eth0
Després:
$ arp -n Address HWtype HWaddress Flags Mask Iface 87.111.152.1 ether 00:14:1c:32:af:1a CM eth0
Observeu que la M indica entrada estàtica.
La entrada es pot afegir de forma temporal amb:
$ sudo arp -s 87.111.152.1 00:14:1c:32:af:1a temp
Podeu eliminar la entrada amb:
$ sudo arp -d 87.111.152.1
Es pot automatitzar l'acció d'afegir el vostre gateway com a entrada estàtica amb:
$ arp -s $(route -n | awk '/^0.0.0.0/ {print $2}') $(arp -n | grep `route -n | awk '/^0.0.0.0/ {print $2}'`| awk '{print $3}')
Es una bona forma d'intentar evitar els atacs de ARP Poisoning d'eines com dsniff o Ettercap.
Connectar a un dispositiu utilitzant la seva MAC
Independentment de que sapigueu o no la IP d'un dispositiu, si sabeu la seva MAC podeu connectar-vos-hi afegint una entrada estàtica a la taula ARP. Busqueu una IP lliure del vostre rang de xarxa i li "assigneu" al dispositiu amb MAC X (a l'exemple 00:14:1c:32:af:1a)
$ sudo arp -s 192.168.1.123 00:14:1c:32:af:1a
Ara ja podeu fer ping:
$ ping 192.168.1.123
En Windows seria:
ARP -s 10.1.2.3 08-00-09-12-34-56 ping 10.1.2.3
Capturar paquets arp amb tcpdump
Executem:
$ sudo tcpdump arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 09:54:40.061879 arp who-has 192.168.1.1 tell 192.168.1.2 09:54:40.062244 arp reply 192.168.1.1 is-at 00:15:e9:ca:34:a5 09:54:58.802487 arp who-has 192.168.1.3 tell 192.168.1.2 09:54:58.802576 arp reply 192.168.1.3 is-at 00:18:f3:fb:fc:4a 09:55:41.012054 arp who-has 192.168.1.6 tell 192.168.1.2 09:55:41.013671 arp reply 192.168.1.6 is-at 00:0e:35:29:2a:48
Comanda arpping
Consulteu arping de l'article Xarxes Linux.
Provocant arp-replys
Consulteu:
Xarxes_Linux#Provocar_arp-replys
Provocant arp-requests
Consulteu:
Xarxes_Linux#Provocar_arp-requests
RARP
Consulteu rarp de l'article Xarxes Linux.
Comanda ip (iproute2)
Es pot consultar la taula ARP amb:
$ sudo ip neigh show 87.111.152.1 dev eth0 lladdr 00:14:1c:32:af:1a REACHABLE
$ sudo arp -n Address HWtype HWaddress Flags Mask Iface 87.111.152.1 ether 00:14:1c:32:af:1a C eth0
Recursos:
$ sudo tcpdump -ennqti eth0 \( arp or icmp \)
Vegeu també:
Estats ARP
Taula:
Hi ha un timeout. El podeu observar amb:
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud reachable
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud stale
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8:e8:1e:fc nud delay
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 lladdr 00:80:c8e8:1e:fc nud probe
$ sudo ip neighbor show 192.168.99.7 192.168.99.7 dev eth0 nud incomplete
Recursos:
Monitoritzar els canvis d'estat de la taula ARP
Vegeu:
Xarxes_Linux#ip_monitor
Problema ARP flux
Si una màquina té dues o més targetes connectades al mateix segment de xarxa, pot ocorrer el problema conegut com ARP Flux.
Consulteu:
ARP Proxy
This variable sets Proxy ARP on or off in kernel for specific devices. Proxy ARP is a system of automatically answering ARP queries for other hosts, that may for example be located on other network segments that we have contact with. This may be necessary under certain circumstances, where other routers do not know how to reach specific networks or hosts. The Linux firewall/router may then answer the ARP queries on behalf of the hosts that we want to Proxy ARP for. Proxy ARP is turned on for the network segment that we want to answer ARP queries for. We will then answer all ARP queries for that specific network or host, hence receiving the packets destined for the specific host, and we can then send them onwards to the real host. The proxy_arp variables takes a boolean value. Per default, it is turned off, and may be turned on (1) or off (2) at will. If you want more information about Proxy ARP,
- http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN628
- http://www.ibiblio.org/pub/Linux/docs/HOWTO/unmaintained/mini/Proxy-ARP
ARP Flushing
Paràmetres sysctl
arp-filter
- http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#GUIDEIPUNDERLINUX
- http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN594
ARP-SPOOFING
Consulteu l'article ARP-SPOOFING.
Ettercap
Consulteu Ettercap.
Arp-tools
$ sudo apt-get install build-essential gawk libnet1-dev $ wget http://www.packetfactory.net/libnet/dist/libnet.tar.gz $ tar xvzf libnet.tar.gz $ cd libnet/ $ ./configure $ make $ make install $ sudo make install
Tenim les eines:
- ARP Discover (arpdiscover), an Ethernet scanner based on ARP protocol;
- ARP Flood (arpflood), an ARP request flooder;
- ARP Poison (arppoison), for poisoning switches’ MAC address tables.
Un exemple:
$ sudo arpdiscover 192.168.12.1 25 using inteface eth0 our hw address is 00:30:05:EB:A3:8D our ip address is 192.168.12.20 bpf filter is 'ether dst 00:30:05:EB:A3:8D && arp' sniffer fork()ed into background with pid = 21448 request for hw address of ip address 192.168.12.1, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.2, 42 bytes to send, 42 bytes sent received arp packet 60 bytes, hw address is 00:0D:88:CC:B4:67, ip address is 192.168.12.1 request for hw address of ip address 192.168.12.3, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.4, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.5, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.6, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.7, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.8, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.9, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.10, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.11, 42 bytes to send, 42 bytes sent received arp packet 60 bytes, hw address is 00:30:05:EB:39:9D, ip address is 192.168.12.11 request for hw address of ip address 192.168.12.12, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.13, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.14, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.15, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.16, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.17, 42 bytes to send, 42 bytes sent received arp packet 60 bytes, hw address is 00:30:05:EB:3B:52, ip address is 192.168.12.16 request for hw address of ip address 192.168.12.18, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.19, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.20, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.21, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.22, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.23, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.24, 42 bytes to send, 42 bytes sent request for hw address of ip address 192.168.12.25, 42 bytes to send, 42 bytes sent waiting for sniffer terminate received arp packet 60 bytes, hw address is 00:19:06:FF:5B:C0, ip address is 192.168.12.2
Recursos:
arp-scan
$ sudo arp-scan --interface=eth1 --localnet Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:15:e9:ca:34:a5 D-Link Corporation 192.168.1.2 00:30:1b:5e:09:a9 SHUTTLE, INC. 192.168.1.3 00:08:54:4b:70:98 Netronix, Inc. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.6: 256 hosts scanned in 1.532 seconds (167.10 hosts/sec). 3 responded
$ sudo arp-scan --interface=eth1 192.168.0.0/16 Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.6 with 65536 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.1 00:15:e9:ca:34:a5 D-Link Corporation 192.168.1.2 00:30:1b:5e:09:a9 SHUTTLE, INC. 192.168.1.3 00:08:54:4b:70:98 Netronix, Inc.
$ sudo arp-scan --interface=eth0 --arpspa=0.0.0.0 0.0.0.0/3
arpscan
nemesis
$ sudo apt-get install nemesis
$ dpkg -L nemesis /. /usr /usr/sbin /usr/share /usr/share/man /usr/share/man/man1 /usr/share/man/man1/nemesis-dns.1.gz /usr/share/man/man1/nemesis-icmp.1.gz /usr/share/man/man1/nemesis-igmp.1.gz /usr/share/man/man1/nemesis-ip.1.gz /usr/share/man/man1/nemesis-ospf.1.gz /usr/share/man/man1/nemesis-rip.1.gz /usr/share/man/man1/nemesis-tcp.1.gz /usr/share/man/man1/nemesis-udp.1.gz /usr/share/man/man1/nemesis.1.gz /usr/share/man/man1/nemesis-arp.1.gz /usr/share/man/man1/nemesis-ethernet.1.gz /usr/share/doc /usr/share/doc/nemesis /usr/share/doc/nemesis/README /usr/share/doc/nemesis/copyright /usr/share/doc/nemesis/changelog.gz /usr/share/doc/nemesis/changelog.Debian.gz /usr/bin /usr/bin/nemesis
$ sudo nemesis arp help
ARP/RARP Packet Injection -=- The NEMESIS Project Version 1.4beta3 (Build 22)
ARP/RARP Usage:
arp [-v (verbose)] [options]
ARP/RARP Options:
-S <Source IP address>
-D <Destination IP address>
-h <Sender MAC address within ARP frame>
-m <Target MAC address within ARP frame>
-s <Solaris style ARP requests with target hardware addess set to broadcast>
-r ({ARP,RARP} REPLY enable)
-R (RARP enable)
-P <Payload file>
Data Link Options:
-d <Ethernet device name>
-H <Source MAC address>
-M <Destination MAC address>
You must define a Source and Destination IP address.
$ sudo nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1
$ sudo tcpdump -i eth0 -e arp and host 192.168.1.50 > pcap &
$ sudo nemesis arp -S 192.168.1.50 -D 192.168.1.1 -M 01:01:01:01:01:01
$ sudo nemesis arp \ -S 192.168.1.50 \ # Your IP -D 192.168.1.1 \ # Suspected Promiscuous IP -M 01:01:01:01:01:01 # Non-existent MAC (on your network at least)
$ sudo cat pcap 00:50:2c:05:6b:a9 > 01:01:01:01:01:01, arp who-has 192.168.1.1 tell 192.168.1.50 00:0c:41:e9:2b:9d > 00:50:2c:05:6b:a9, arp reply 192.168.1.1 is-at 00:0c:41:e9:2b:9d http://www.google.es/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fforo.elhacker.net%2Fredes%2Finyector_de_paquetes_nemesis-t33197.0.html&ei=oopVSJ7lJ4200QSOhryEAw&usg=AFQjCNG76zInh463E4qnJU5vRc_oUBFClA&sig2=8SZmqxdZC1nAILxr41nV-g
Recursos:
ARP a Windows
Consulteu:
http://acacha.org/mediawiki/index.php/Nanostation#Problemes_amb_la_cache_ARP_de_Windows_i_la_IP_192.168.1.1
sysctl
TODO:
$ cat /proc/sys/net/ipv4/conf/all/arp_accept 0 $ cat /proc/sys/net/ipv4/conf/all/arp_announce 0 $ cat /proc/sys/net/ipv4/conf/all/arp_filter 0 $ cat /proc/sys/net/ipv4/conf/all/arp_ignore 0 $ cat /proc/sys/net/ipv4/conf/all/arp_notify 0
